I am constantly reading how representatives or fans of parties with hardline retiree voters or parties relying on less literate citizens are hysterically rejecting online voting because it would not be reliable.
I think this is the most ridiculous argument of opponents of e-voting ahead of the referendum on it. Whether online voting will be reliable or not depends solely on how it will be implemented. This is a technical problem that has no bearing on whether it should be used or not. Online voting can be very safe and reliable; it may actually be significantly more reliable than our current attendance voting. But it can also be made very unreliable, even less unreliable than our current attendance voting.
There is no reason in principle that makes remote voting unreliable other than the selected procedures for conducting it. But that is not relevant to the discussion on the referendum – to have or not have online voting. These are technical details that need to be discussed openly and actively, if the referendum giveс a positive answer and causes a public discussion that can lead to changes in legislation and allow having online voting.
For me, technology discussions at this stage are premature. These are the equivalent of discussions of the type let’s not vote at all, because the vote can be falsified. Are we going to be better off with a monarchy or a one party dictatorship? 🙂 No significant difference in theses, and perhaps exactly because of this, monarchy movements and fans of party dictatorship are the main opponents of online voting.
This does not mean that I am avoiding a discussion on technology. This is my passion. In this text I want to describe a procedural model; how online voting can be implemented in a reliable and anonymous way. This is not a proposal on how to implement it, neither a statement that should be implemented exactly in this manner. This is only an example that this could be done. The technological discussion will become an issue after the decision to have online voting is made. In it, we would have to be wary of any possible State blunders. But at the same time, we should not believe that the State exists only to make blunders, because otherwise what is the point of having it? It would be best to have another king or feudal lord who to govern us, right? Ah, yes, I just explained another thesis of the opponents 🙂
It does not really matter whether we are talking about online or paper voting, attendance or remote voting, anything can be made reliable or unreliable; the main point is never the technology and algorithms, but the procedure used for the implementation.
In this sense, let’s not mention technology for now. Let’s talk about procedures and procedure.
Also, I do not intend to say that a procedure for remote voting guarantees absolute security and reliability. I just want to say that at any one time, it would be always better and more reliable than the current procedure of attendance voting.
Requirements for any vote, no matter whether it is an attendance or remote one, are for it to be in person, secret, and secure (meaning that it cannot be replaced).
This is not about having online voting or not. We can have non-attendance online voting and attendance online voting (which has been tested for years in the country and is called machine voting because of the help from a machine) and the technology is not of crucial importance. The main issue is the implementation procedures (including of the technology).
The procedure that I am commenting on is applicable to all – the non-attendance voting, the attendance machine voting or ballot casting. A similar procedure is already being developed and in an appropriate legal form by another group of enthusiasts, but the basic ideas (though I voice a different opinion on some specific details) are the same.
In attendance voting, the “in person” requirement is usually guaranteed by some identification mechanisms (authentication) such as an identity card. If the person looks like the picture on the ID card, and if the issuer and the card are trustworthy, then it is accepted (but there is no absolute guarantee) that the said individual is the one they say they are and are coming to vote in person.
The secrecy of the vote is guaranteed by anonymous ballots and anonymous voting (although) in a public room – one for which third parties claim that it is certain that there is no one else inside (but there is no absolute guarantee).
The security of the vote should be ensured by the fact that there is no way a ballot other than those of people who vote is placed in the urn. The ballot cannot be replaced as well because it is guarded vigilantly by people who are supposed to be enemies and will be watching closely one another (the electoral commission is composed of representatives of different parties).
We know well, however, that more than one in 10,000 identity cards is forged. We also know about the so-called “dead souls” – people who are entitled to vote and are included in voting lists, but have died, and their uncast ballots are placed at the last minute in the urns without creating suspicions during the central counting as the number of ballots is under or around the expected number.
Just for the upcoming elections more than 500,000 “dead souls” have been removed from the lists (because of the residency requirement). These are not all “dead souls”, but the figure is a great indicator of how inaccurate voting lists actually are. Another 700, 000 were removed prior to earlier elections. But permanent urbanization (in local elections there is a residency requirement), emigration and mortality dynamics are creating a natural process of “dead souls” appearance in voting lists as these local lists cannot be totally accurate (although there is a way to do it centrally).
We know that some people vote at two different polling stations and because it is impossible to ensure in attendance voting a real-time nationwide check whether someone has already voted or not, the ballot is accepted and due to the inability to validate the origin of the vote, double voting cannot be eliminated, therefore, although we know about the offense, it remains in the counted result.
We know many other things as well… In some places, local cartels of representatives of electoral commissions add their ballots at the last moment and there is no way to find out which ballots are real and which are not. Generally, election errors (invalid or duplicated ballots, “dead souls”) vacillate between 5 and 15% and usually are not essential in terms of the overall election result. But they are essential for the redistribution of local mandates and in local elections, where often one term in office (due to fragmentation) or one mayor are elected with fewer than 5,000 votes. These errors, and low voter turnout, are also important for parties that enter the Parliament or receive a subsidy. For example, in the previous parliamentary elections, only 50,000 votes in higher turnout (less than 1% of all eligible to vote) were decisive for the parties Alternative for Bulgarian Revival (ABV) and Ataka winning seats in the Parliament or not. It did not even matter for whom these people have voted because this was an issue of the fragmentation of the distribution of mandates. And they entered the Parliament only because of low turnout. I don’t “know” whether this is one of the reasons why both parties are firm opponents of any methodologies for increasing the turnout (by ads, compulsory voting or online voting; in fact, ABV officially supports the latter, but its representatives speak publicly against it).
All these and other flaws are caused by the fact that there is no established mechanism for double validation. We have known about them for years; we comment on them during all elections and are constantly changing the Electoral Code to attack yet another problem without any particular success.
The reliability of the attendance voting system relies excessively on threats (fines), political electoral commissions (which will monitor each other because of the natural political competition), and election observers for protection. But over the years, the number of people and parties entitled to be members of electoral commissions has been gradually reduced to parliamentary represented or coalition entities, leading to tolerating natural cartel agreements, which significantly undermines the attendance control. Separately, independent election observers are being reduced in numbers as well (over the complicated registration procedure and the requirement that they must come mostly from political parties), and these observers in turn commit breaches as voters (mostly with duplicate ballots).
Let’s imagine, however, the following hypothetical situation:
We have a division between the components – personal authorization, entitlement to vote (ballot), association of the ballot with the vote (voting) and counting of votes. Each of these elements is authorized and verified by a separate and independent organization, while something else (for example mathematics?) ensures neighboring bilateral association, but not one that skips a neighbor. Then many distortions (but not all) of the current model would be solved automatically.
I will explain in more detail – we currently have all this in place, but let’s imagine that it is completely separated into individual organizations and processes occur independently. I can identify the following separate and independent components:
- Authorization from one place that you are the person you are presenting yourself to be (the equivalent of issuing an identity card) and receiving the appropriate identifier for this (currently, this is the identity card issued by the Ministry of Interior, but it can also be a digital signature or something else from one organization);
- Authorization that you have the right to receive a ballot with which to vote (now this is done by the electoral commission; it checks the voting list and ensures that you are the person you are presenting yourself to be through the certificate issued by organization 1. In the online version you can get a random mathematically generated online certificate that is verifiable mathematically (may be a hash function) and signed with the certificate of this second organization, so that it is unchangeable);
- Association of the ballot with the vote (now it is done by the electoral commission which stamps your ballot to ensure before third parties that is valid. In the online version this may be done by a third organization, for example a site where you sign online your vote with the certificate received from organization 2);
- Counting the ballots (it is done by the Central Electoral Commission, CEC, with Information Services as subcontractor). In the online vote that would be counting and double validating the validity of the online ballot by a fourth organization;
Let’s imagine that the aforementioned system is implemented in the following manner (again, the technology is just an example; it is not important; procedures and principles are important) –
- You obtain an online signature that validates that you are the person you are presenting yourself to be. It contains your unique certificate validated by the certificate issuer (actually all bank branches do it currently for a fee of 15 levs), which has the right to do so (the equivalent of the Ministry of the Interior). The digital signature is only an example. This can be your digital identity card (your personal card that you can get from 2017 onwards); it can be a One-Time-Password system of another form. It does not really matter. The technology is not important at this stage;
- You obtain a digital ballot against your digital signature; it represents, let’s say, a hash functional value, signed with your certificate (without identifying information) or with an alternative more anonymous algorithm, like a modified DH (or unique random private key, and both can come again through your digital signature). On its part, the obtained information is signed with a certificate from the organization issuing the digital ballot (here we can have variations – for example, you can have a unique public and private key, generated randomly and given to you);
- You go to the voting site; sign the ballot with the obtained private key and send it back to the voting site, which signs it with its own certificate (currently these are the seals of the electoral commission) and transfers it immediately or later to the organization in charge of counting the ballots (or immediately to an intermediate organization which transfers it to the counting organization after the conclusion of the election day);
- The counting organization receives all certificates. It has the public keys of 1, 2 and 3 (but not the private ones). As a result, it can read the information (but no one else can read it besides in their part) and make the counting and complete the validation. Apart, it has received from 2 a list of the generated hashes; there is a way to validate them mathematically (that they are real) and then accept only those certificates that contain the correct hash.
What is the result of this division into separate independent and unrelated organizations?
There is inability to generate fake signatures: the signatures at 2 and 3 are done locally by the voter. They travel through the Web and the sites only receive signed certificates; in order to have a fake, somebody should have compromised simultaneously 1, 2 and 3. This can be done only on the personal computer of the voter, but even then it cannot be done easily – just try to replace the contents of the data signed by your digital signature on your own computer. Let me know, if you succeed.
Even assuming this to be possible on the computer of the voter, it will be impossible to be done on a large scale (there is no way to influence and scrutinized millions of computers and millions of certificates in a limited period of time), which makes it better than the current model (after all elections, CEC publishes statistics showing at least nearly 100,000 invalid or duplicate ballots, more so with its very conservative evaluation mechanism). The replacement also requires interactive operation at the time when the user is being authorized. It would be extremely interesting for me to hear how this can happen in a mass online voting, in real time, in the course of the election day. Even if we have 1-2 cases of replacement, they will have very little influence on the outcome, and precisely the online voting could allow a mechanism to detect and correct them.
We also have a guarantee of the secrecy of the vote. Because only 1 knows whether you have the right to vote and who you are. Only 2 issues the ballot against information from 1 (but does not necessarily know who you are; it is enough for it to know that you have a valid certificate whose validation can be secured anonymously), and also does not know whether you voted and for whom. Only 3 can know (this is, however, optional, as 3 might not have its own public key and may not know it) what vote is the online ballot associated with, but does not know who voted. Only 4 can count and validate the ballots, again without knowing who has voted.
To compromise the secrecy of the vote one should compromise all votes at the same time. It is theoretically possible for the State to organize this and do it, but this is unlikely, because first and foremost, this can be easily established (much easier than in attendance voting, because here all records are kept everywhere), and secondly there is no problem to do it currently, thus there is no technological problem in the attendance voting; there is a problem of State principles and a moral problem, and we cannot say that it is something that will be introduced namely by online voting. The problem, if there is to be a problem, would be one of organization, State and culture.
Since signatures are done locally, where the voter performs them, a hypothetical hacker who has compromised separately 2 or 3 or 4 cannot generate fake signatures. Neither can they sign (they do not have the private keys or certificates of the user from the previous organization) or create a valid certificate (because it requires participation from end to end). It is theoretically possible to create massive fake signatures if they hack 1, but the beauty of it all is that fakes can be easily found (by the Civil Registration Office, GRAO, in real time or after the fact when checked by 4) and all votes generated in this manner can be removed from the results (by invalidating the hashes of 2 or the certificates of 1, there will be invalidation during the counting in 4). And it is possible, including post factum, again while maintaining the complete anonymity of the voter.
Duplication is eliminated due to the validation under active hash in organization 4. I will say something else on duplication later. Each online voter will have only one valid vote.
How do we guarantee the personal vote? In my hypothesis this is done by the digital signature, but, if needed, it can be validated (at 2) through a video or photograph taken during a call and will receive the same form of validation as the one from the Electoral Commission – they can see that you look like the picture.
Well, what about the eavesdropping? Even if we watch logins and IP addresses, we can only guess that someone has voted, but not with exact certainty who they are, and definitely not for whom they voted. If the encrypted data has the same length, even statistical mechanisms could not help to distinguish by eavesdropping who or how many voted for whom. This response can be provided only by organization number 4.
The protection that we have here is significantly better, even if there is complete openness, than the one we have in attendance voting. For example, if a journalist monitors a polling station and takes pictures of who is coming in and out (and we see it on TV during all elections), they get a much more accurate information than if one eavesdrops in the network for online voting.
How will we ensure that the signatures are not given to other people? The guarantee that one has not given their signature (passport) to someone else is the same as it is with normal voting. None. But again, it is very difficult and unlikely that this will become a mass occurrence, moreover, it can be validated by a video call (or taking a picture at the time of obtaining the right to vote).
Sounds complicated? At first glance, the technology seems complicated, with many steps. Surely it would be difficult for consumers to follow it? Actually, it would not. The idea of division and of many signatures is not new and is not accidental. In fact, it is currently performed by electoral commissions in the attendance vote (the personal ID card is a certificate/digital signature issued by the Interior Ministry; the ballot with watermark is certified by the issuer of the ballots; the electoral commission’s check of the ID card and the signature in the voter registration list is the equivalent of obtaining the right to vote in my step 2; the vote in the dark room and the subsequent stamp on the ballot are the equivalent of step 3; the validation of the stamps, the watermark on the ballots and their content by CEC and Information Services are the equivalent of step 4. This technology with a 3-step signature is a classic technology used by MIT’s technology for authorization KERBEROS, which has not been cracked until now, and it is actually used very widely (the Active Directory Authorization in Windows is based on it). It is also used by the very popular OAUTH2 authorization system. For the user, it seems that they are filling their data in only one place, but the rear has a double (or even triple) authorization, and no organization has the full and complete information on the personal data of the participant. More importantly, users do not even understand how it works, and do not have to log in three sites simultaneously. But this does not eliminate security guarantees.
Compromised browsers, operating systems, Trojan horses do not automatically compromise the digital signature (actually all hacks that we know of do not compromise the system in essence; they just lurk for a situation when a user signs in real time and try to take over the session. Even if you suspect 1-2 such cases, it is impossible to perform it in mass on election day in a way in which to influence the election result).
On duplication – as we have an anonymous secondary check (at 4), the user can vote anonymously countless times (issuing to themselves countless of ballots) and only their last vote will be counted. This is not only a disadvantage, it may be an advantage. Even if someone is to be forced by another person to “vote correctly” in front of them, the user may vote again later and invalidate their previous vote. This way, the forced vote can become much more difficult (but not the vote buying – it cannot be tackled with technology, this is a personal decision), because people will have an alternative, especially in small towns with strong local influence (in the polling station by threats from the mayor, as it happens often), it can become very difficult as people can go elsewhere and cast a valid ballot.
Since only the user is able to read the information from his or her signatures, the system can be made so that this user can verify how they have voted (if such a service is provided by 4) to detect forgeries, hacks, or to invalidate their choice. Moreover, no one will be able to prevent them from doing it, or to understand that this has happened without having all the information from 1,2,3 and 4 (and even if just one person complains, the problem can be easily detected and the culprit caught). If police function well, people trying to compromise the system will be caught very quickly.
Note that the technologies are not that important (I am using public and private keys because they are a good and familiar example), and that the procedure and the division are important. We currently follow the same procedure, but we do not divide, just everything is concentrated in one place and it is not checked twice. So, forgeries can be made at the place of concentration (electoral commissions), and due to the lack of a secondary check, they cannot be isolated and caught. In the attendance voting today, we also use identifications considerably easier to fake (numbers of books, watermarks) than in an online system.
I, personally, not only do not see more shortcomings in the described above procedure for remote online voting than in our current attendance model, but see some of the most important technical problems in the current voting being addressed – increasing the turnout (which on its part does address the distortions that we have due to low turnout) because of ease, removing opportunities for validation of duplicates while counting the ballots, and creating alternatives to preserve civil rights and personal choice, which, if there is better communication with voters, will enable us to directly attack with minimum cost the paid vote and make the “feudal” vote senseless.
So far, there is not a single case of a really hacked online voting or online banking system. There is no known case in which a signature has been hacked (but we know of thousands of forged passports). There is no case of a hacked algorithm for authentication.
We have cases of stolen (physical) online signatures (but as with personal passports, they can be invalidated and unlike personal passports, the invalidation can be instantaneous). We have cases of stolen static certificates. We have cases of cracked banking systems by the use of other attacks (access to software managing transfers of money). We have classic Denial of Service attacks which block or slow down the speed of the systems. But they do not violate the anonymity or the authorization system of users, and are the result of wrong design of other parts of the software. Thus, they cannot be used as proof of unreliability. The security of the person and of the decisions of end users are preserved. However, the ineptitude of the systems is another problem.
In the scheme I am proposing, no organization and even any arbitrary combination of two organizations cannot generate a false system of authorization, a fake ballot, a false association with a vote with which to pass inspection at number 4. They just record them; the signatures are only made locally by the user.
We can have an (intentional) false counting at 4, but all certificates / bulletins remain and are subject to secondary inspection so that if there is any suspicion, they can be checked and caught much better than in the current model of attendance voting.
Separately, one of the beauties of the matter is that 1, 2, 3 and even partially 4 can be implemented by private entities, and more than once simultaneously. We can have many issuers of authorization systems (online signature), many issuers of online ballots, many websites for vote association, and many counting entities. This not only does not violate security, but even increases it. Users who have suspicions or if they check their own vote and notice a mismatch can change their vote during the election period (day) and vote again in another place, and thus invalidate the error and bypass the problem. Conversely, even the police can remove fake sites.
Phishing (fake voting sites) would not work because they do not have certificates of public keys to take the vote of the user and to send it as valid to 3 or 4.
The only attack that remains possible is a DoS attack of online voting sites so that they can be blocked, preventing users from voting and making them nervous. However, DoS attacks are easily tackled by well-distributed and scaled systems. Even without an attack, the system can be extremely slow because it is poorly designed (and here I can give an example with the Trade Register or the site for online counting during prior elections). But this is no reason not to have online voting; it can become cause to pressure government agencies to be much more serious in the development of software.
For those who do not know much, I will say a few words about the basic algorithms in cryptography which can be used (and are actually used in all systems with digital signatures, online authentication and online banking):
Challenge algorithm – Imagine having two parties that communicate in an uncertain environment. Party A wants to validate that party B is what it is presenting itself to be. Party A knows that party B will identify itself through information that party A knows (for example, a password).
When party B wants to introduce itself, it asks A to give it a random number. A sends a random number. B uses the random numbers to encrypt (or hash) its information and submits it to A. A knows the number, knows the encryption algorithm (hash), and performs the action of B locally, then compares the result with what it has received from B. If there is a match, then B is the one it is presenting itself to be.
If someone is eavesdropping in the network, they know that B is trying to be authorized before A. But they do not know the password of B, it never passes unencrypted. Separately, they cannot use information obtained from B to impersonate B somewhere else because another random number will be used in that authorization.
As a result, – we have an active authorization which cannot be decrypted, and cannot be used elsewhere herein, or at another time.
Asymmetric encryption algorithms – These are algorithms with public and private keys. The idea is simple – we have mathematical algorithms that ensure with an extremely high level of security that we have two keys, conditionally called public and private. We can use the private key to encrypt information that can be decrypted only with the public key. The private key cannot decrypt it. A private key cannot be used to create a public one, and vice versa. So if we take a private key and encrypt it with some text, then we know that it is encrypted and signed by the one that presents itself as the other side if we can decrypt it with the public key. Without having the public key, we cannot decrypt; without encryption with the reciprocal private key, we cannot decrypt the public one. This algorithm is clever because you can give your public key to your friends, and only they will be able to read the encrypted information you send them. But no one except you will be able to write to them and send information.
Online Certificate – Double (or more) signatures with public and private keys. Example – imagine creating your own pair of public and private key. The private key is always with you, but you want the public one to be accessible to all or a group of people. You go to the police (or Certificate Authority) and they verify that you are you. Then they encrypt with their own private key the information – text that says – yes, this is John Smith and his public key is this one and this is recorded inside. What you get is something called a certificate, and you can post it publicly (or send it by email encrypted with your private encryption key).
Anyone who gets your certificate, if they have the public key of the police (CA), will be able to read it. And they will know that the police (guaranteed by its private key) confirm that you are the one who you are presenting yourself to be and which key is your public one. The recipient will decrypt your mail with it and will know that it was written by you, because only you have your private key.
Diffie-Hellman algorithm – another form of asymmetric encryption in which participants even exchange publically indicators of keys that can regenerate the public (or other) key, but a snooping person cannot do it.
One-time password – it is a private form of the challenge algorithm in which the encrypted information that is exchanged for validation (password) is complemented by a component that is dependent on time (or sequence of the event) – for instance time is added to the password. So even if someone overheard and tried to crack the password with a dictionary, they will not be able to do it since only a minute later the information will be brand new and the old one will be invalidated.
Digital Signature – This is a combination of digital certificates and one-time password. Certification information, modified and encrypted with a form of an on-time password, is transported through the network. It can be done in a simpler manner (for example, chips of credit cards have a much simpler form of authorization), but also in a more complicated one. But it is a choice of implementation, and not a problem of technology. Technology can be remarkably safe, even if all public keys and information are freely available on the net.
It is undeniable that anything can be made unreliable. But it is also undeniable that it can be made reliable and secure. However, whether to have or not have online voting should not be the topic of such discussion. This is a discussion to be held after we decide to have online voting – how to do it. To say that it is better not to have it, because it can be done badly is the same as refusing to fly, because airplanes occasionally fall. Yes, you will not die in a plane crash, but this does not mean that you will live forever, or that the plane will not fall on your head. It only means that you will always be slower than those who travel by plane.
Perhaps I could explain it even in more detail, but the main idea is the division. If we imagine that the association of the ballot with a vote is actually the action of creating a certificate, only that we have a private key generated locally and a public key associated with an anonymous hash, half of which goes to the one associating the vote and half directly to the one counting the ballots, the one associating the vote (3) can only validate the information, but does not to know who voted and how. The one counting can validate, but does not to know who voted. Only the user will be able to check, read and (re) vote locally.
Mathematics allow this. Many online systems for authorizations already operate in such manner, thus it can be done safely and reliably. The question in fact has never been one of technology, right?
Edited version from the blog of Delyan Delchev. It is published with the consent of the author.
This post is also available in: Bulgarian